Getting not authorized error with SM protecting TEWS on subsequent calls with Forgotten Password.

Document ID : KB000052137
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Forgotten Password is a three step TEWS call. With TEWS being protected by SM and the right security parameters set for SM in the web.xml, customer is noticing that only his first Forgotten Password TEWS call (to verify user identity) is successful and the subsequent TEWS call is coming back with a "401 Not Authorized" error on the client side. This document describes a way to work around this issue since the problem lies within Apache Axis and not the client side TEWS code or IDM.

Solution:

Apache Axis 1.3 and 1.4 have a problem with the way they send cookie headers, they send them in the form of cookie:

cookie1=value
cookie: cookie2=value

The above format is not RFC compliant and Webservers reject all but the first cookie as they expect it to be in RFC compliant form:

cookie: cookie1=value; cookie2=value

There is a patch to the Axis clients, however it is a manual patch that requires recompiling Axis. The patch for Axis 1.4 is attached.

File Attachments:
TEC507554.zip